RE: [m0n0wall] can't access to a domain name which is hosted in my LAN

Date:

Thu, 13 Jan 2005 07:08:02 -0800

Thanks Josh,
Since I have 2 NICs on my server (Internal & External) I guess I can't use Firewall's IP address as
my DNS for my clients because my local network don't see the firewall since it's behind External
NIC. Here is how they are set: DSL --> Firewall --> External NIC of Server --> Internal NIC of
Server --> Local Network.
Originally when configured my server I used 2 NICs for security purposes and still that's how they
are set.
Do you have any suggestions for me?
________________________________
From: JSimoneau at lmtcs dot com [mailto:JSimoneau at lmtcs dot com]
Sent: Thu 1/13/2005 5:58 AM
To: Mike Razavi
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] can't access to a domain name which is hosted in my LAN
Mike,
I guess I don't fully understand where you are at this point, so I'll just
ramble off some things and hope you find something useful.
Computers on your LAN should be using a local (on the lan) DNS server for
name resolution. This should be a DNS server which only serves requests
for systems on the private LAN network, and not outside of that. Lets take
this example:
Your monowall has IP 64.100.71.50 and is NAT'ing port 80 to your
webserver, which has private IP address 192.168.1.5. The domain being
hosted is www.superdomain.com.
To PCs on the internet, if they try to resolve www.superdomain.com it will
resolve to 64.100.71.50, their http request will go to your monowall and
be forwarded to your web server by NAT. Good.
Now, if the PCs on your LAN try to resolve www.superdomain.com and get
64.100.71.50, if they try to go to that they will have problems. This is
because, to the LAN systems, the webserver isnt at 64.100.71.50, it's at
192.168.1.5. This is why you need a dedicated DNS server on your LAN to
serve requests on the LAN, because it needs to resolve things to the local
private IP address.
This is what the DNS forwarder in m0n0wall does.
First make sure PCs on the lan are set to use the monowalls PRIVATE
(192.168.1.1 or whatever) IP address as their dns server.
Make sure you have DNS servers listed in the General Setup tab of your
monowall, or that m0n0wall gets DNS servers from your ISP's DHCP.
Now, on the DNS forwarder tab, make sure the dns forwarder is enabled, and
add a new entry. For my example I would fill in:
Host: www
Domain: superdomain.com
IP Address: 192.168.1.5
Description: My super web server
Now www.superdomain.com will resolve teo 192.168.1.5 as long as I am using
m0n0wall for my DNS server.
This should do it.
- Josh
-----Original Message-----
From: Mike Razavi [mailto:mike at havepc dot com]
Sent: Wednesday, January 12, 2005 11:52 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] can't access to a domain name which is hosted in
my LAN
I think I found the problem but I am not sure yet.
Since I am using forwarders in my server to point my domains to the proper
ip address, so far I was using Host (A) which was pointing to the actual
public ip address. Now I just realized that it shouldn't point back to the
public ip address since this server is where the web pages are loading
from so I think it is supposed to have Alias (CNAME) as a forwarder! When
I changed Host (A) to Alias (CNAME) I was able to pull up my webpages
internally and externally.
Please advice.
Mike
-----Original Message-----
From: Mike Razavi [mailto:mike at havepc dot com]
Sent: Tuesday, January 11, 2005 9:50 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] can't access to a domain name which is hosted in my
LAN
First of all I want to thank you for the great firewall. It can't be any
better :-)
The only problem I currently have is I can't access to the domain names
that I am hosting with my server from LAN. On the other hand these domain
names are fully accessible from outside (WAN). My server is located inside
of my LAN is a DHCP as well as web-server. (ADSL -> Firewall -> Server ->
Stations)
I looked at the FAQ 13.3 but couldn't fix my issue. Maybe I did something
wrong even after reading this FAQ!
I would really appreciate if someone can help me out to get this problem
resolved.
Thanks,
Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch